CVE-2025-13610 is a stored Cross-Site Scripting (XSS) vulnerability identified in the WordPress plugin RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login, affecting all versions up to and including 6.0.6.7. The root cause is insufficient sanitization and escaping of the 'theme' attribute within the plugin's RM_Forms shortcode, which allows authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code. This malicious script is stored persistently and executes in the context of any user who accesses the compromised page, potentially leading to session hijacking, privilege escalation, or data theft. The vulnerability is exploitable remotely over the network without requiring user interaction, but it does require the attacker to have at least contributor-level access to the WordPress site, which is a moderate barrier. The CVSS v3.1 base score is 6.4, reflecting a medium severity with partial impacts on confidentiality and integrity but no impact on availability. No public exploits have been reported yet, but the vulnerability poses a risk to sites that allow user-generated content or have multiple contributors. The vulnerability highlights the importance of proper input validation and output encoding in web applications, especially in plugins handling user registration and payment functionalities. The lack of a patch link suggests that a fix may still be pending or in development.

For European organizations, this vulnerability can lead to unauthorized script execution within their WordPress sites, potentially compromising user credentials, session tokens, and sensitive data. Since the plugin handles registration and payment forms, attackers could manipulate user interactions or steal payment-related information indirectly through XSS attacks. The requirement for contributor-level access limits the attack surface to organizations that allow multiple users to contribute content or manage registrations, common in educational institutions, e-commerce platforms, and membership sites. Exploitation could damage organizational reputation, lead to data breaches under GDPR regulations, and result in financial losses or legal penalties. The persistent nature of stored XSS means the attack can affect multiple users over time, increasing the risk. Additionally, the vulnerability could be leveraged as a pivot point for further attacks within the network or to distribute malware. Organizations relying heavily on WordPress and this plugin for customer-facing services are particularly vulnerable.

Immediate mitigation involves restricting contributor-level access to trusted users only and auditing existing user roles to minimize unnecessary permissions. Organizations should monitor and review all user-generated content, especially any input related to the 'theme' attribute in RM_Forms shortcodes. Applying Web Application Firewall (WAF) rules to detect and block suspicious script injections targeting this plugin can reduce risk. Until an official patch is released, consider disabling or replacing the RegistrationMagic plugin with alternatives that have secure input handling. Developers or administrators can implement custom input validation and output encoding for the 'theme' attribute to prevent script injection. Regularly updating WordPress core and all plugins is critical once patches become available. Conduct security awareness training for site administrators about the risks of granting contributor-level access. Finally, implement Content Security Policy (CSP) headers to limit the impact of any injected scripts.